Containers are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate <external>:<internal> respectively. For example, -p 8080:80 would expose port 80 from inside the container to be accessible from the host's IP on port 8080 outside the container.
-p)¶| Parameter | Function |
|---|---|
443 | Https port |
80 | Http port (required for http validation and http -> https redirect) |
-e)¶| Env | Function |
|---|---|
PUID=1000 | for UserID - see below for explanation |
PGID=1000 | for GroupID - see below for explanation |
TZ=Etc/UTC | specify a timezone to use, see this list. |
URL=yourdomain.url | Top url you have control over (customdomain.com if you own it, or customsubdomain.ddnsprovider.com if dynamic dns). |
VALIDATION=http | Certbot validation method to use, options are http or dns (dns method also requires DNSPLUGIN variable set). |
SUBDOMAINS=www, | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. www,ftp,cloud. For a wildcard cert, set this exactly to wildcard (wildcard cert is available via dns validation only) |
CERTPROVIDER= | Optionally define the cert provider. Set to zerossl for ZeroSSL certs (requires existing ZeroSSL account and the e-mail address entered in EMAIL env var). Otherwise defaults to Let's Encrypt. |
DNSPLUGIN=cloudflare | Required if VALIDATION is set to dns. Options are acmedns, aliyun, azure, bunny, cloudflare, cpanel, desec, digitalocean, directadmin, dnsimple, dnsmadeeasy, dnspod, do, domeneshop, dreamhost, duckdns, dynudns, freedns, gandi, gehirn, glesys, godaddy, google, google-domains, he, hetzner, infomaniak, inwx, ionos, linode, loopia, luadns, namecheap, netcup, njalla, nsone, ovh, porkbun, rfc2136, route53, sakuracloud, standalone, transip, and vultr. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under /config/dns-conf. |
PROPAGATION= | Optionally override (in seconds) the default propagation time for the dns plugins. |
EMAIL= | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
ONLY_SUBDOMAINS=false | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to true |
EXTRA_DOMAINS= | Additional fully qualified domain names (comma separated, no spaces) ie. extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org |
STAGING=false | Set to true to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. |
-v)¶| Volume | Function |
|---|---|
/config | Persistent config files |
| Parameter | Function |
|---|---|
Warning
This image utilises cap_add or sysctl to work properly. This is not implemented properly in some versions of Portainer, thus this image may not work if deployed through Portainer.
You can set any environment variable from a file by using a special prepend FILE__.
As an example:
Containers are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate <external>:<internal> respectively. For example, -p 8080:80 would expose port 80 from inside the container to be accessible from the host's IP on port 8080 outside the container.
-p)¶| Parameter | Function |
|---|---|
443 | Https port |
80 | Http port (required for http validation and http -> https redirect) |
-e)¶| Env | Function |
|---|---|
PUID=1000 | for UserID - see below for explanation |
PGID=1000 | for GroupID - see below for explanation |
TZ=Etc/UTC | specify a timezone to use, see this list. |
URL=yourdomain.url | Top url you have control over (customdomain.com if you own it, or customsubdomain.ddnsprovider.com if dynamic dns). |
VALIDATION=http | Certbot validation method to use, options are http or dns (dns method also requires DNSPLUGIN variable set). |
SUBDOMAINS=www, | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. www,ftp,cloud. For a wildcard cert, set this exactly to wildcard (wildcard cert is available via dns validation only) |
CERTPROVIDER= | Optionally define the cert provider. Set to zerossl for ZeroSSL certs (requires existing ZeroSSL account and the e-mail address entered in EMAIL env var). Otherwise defaults to Let's Encrypt. |
DNSPLUGIN=cloudflare | Required if VALIDATION is set to dns. Options are acmedns, aliyun, azure, bunny, cloudflare, cpanel, desec, digitalocean, directadmin, dnsimple, dnsmadeeasy, dnspod, do, domeneshop, dreamhost, duckdns, dynudns, freedns, gandi, gehirn, glesys, godaddy, google, he, hetzner, infomaniak, inwx, ionos, linode, loopia, luadns, namecheap, netcup, njalla, nsone, ovh, porkbun, rfc2136, route53, sakuracloud, standalone, transip, and vultr. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under /config/dns-conf. |
PROPAGATION= | Optionally override (in seconds) the default propagation time for the dns plugins. |
EMAIL= | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
ONLY_SUBDOMAINS=false | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to true |
EXTRA_DOMAINS= | Additional fully qualified domain names (comma separated, no spaces) ie. extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org |
STAGING=false | Set to true to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes. |
-v)¶| Volume | Function |
|---|---|
/config | Persistent config files |
| Parameter | Function |
|---|---|
Warning
This image utilises cap_add or sysctl to work properly. This is not implemented properly in some versions of Portainer, thus this image may not work if deployed through Portainer.
You can set any environment variable from a file by using a special prepend FILE__.
As an example:
Will set the environment variable MYVAR based on the contents of the /run/secrets/mysecretvariable file.
For all of our images we provide the ability to override the default umask settings for services started within the containers using the optional -e UMASK=022 setting. Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up here before asking for support.
When using volumes (-v flags), permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user PUID and group PGID.
Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
In this instance PUID=1000 and PGID=1000, to find yours use id your_user as below:
Example output:
We publish various Docker Mods to enable additional functionality within the containers. The list of Mods available for this image (if any) as well as universal mods that can be applied to any one of our images can be accessed via the dynamic badges above.
Shell access whilst the container is running:
The ARM variants can be built on x86_64 hardware using multiarch/qemu-user-static
Once registered you can define the dockerfile to use with -f Dockerfile.aarch64.
priv-fullchain-bundle.pem.certbot-dns-dynudns.stream.conf inside the container to allow users to include their own block in nginx.conf.google-domains.STAGING=true, and failures in revoking.ssl.conf.SUBDOMAINS var as optional.resolver.conf and patch for CVE-2021-32637.dhparams.pem per RFC7919. Added worker_processes.conf, which sets the number of nginx workers, and resolver.conf, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later.CERTPROVIDER env var. Update aliyun, domeneshop, inwx and transip dns plugins with the new plugin names. Hide donoteditthisfile.conf because users were editing it despite its name. Suppress harmless error when no proxy confs are enabled.